Attestation format
SALT follows the in-toto Attestation Framework (IAF). The IAF provides a specification for generating verifiable claims about any aspect of how a piece of software is produced. Consumers or users of software can then validate the origins of the software, and establish trust in its supply chain, using in-toto attestations.
Attestations in the IAF are serialized as JSON.
Structure of an Attestation
The core of the IAF is the specification for in-toto attestation layers:
Envelope: Handles authentication and serialization.
Statement: Binds the attestation to a particular subject and unambiguously identifies the types of the predicate.
Predicate: Contains arbitrary metadata about a subject artifact, with a type-specific schema.
Bundle: Defines a method of grouping multiple attestations together.
In short,
Envelope
is a signed attestation, conveying aStatement
as payload (encoded in base64) and aSignature
.Envelopes typically have one signature but may have multiple.
A media type of
application/vnd.in-toto.<predicate>+dss
is assigned for envelopes.A
Statement
binds aSubject
and aPredicate
, with a predicateType field that unambiguously identifies the type of the predicate via a type URI.Subject
is the set of software artifacts that the attestation applies to. Each software artifact is represented by ResourceDescriptor.Predicate
is the innermost layer of the attestation, containing arbitrary data about the Statement’s Subject.
The framework specifies the format and semantics for some common fields.
Available Predicate Types
The following attestation predicates are supported:
In addition, Xygeni adds the following predicates:
Last updated